Home Explore Help
Register Sign In
Apq
/
sftpgo
mirror of https://github.com/drakkan/sftpgo.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

systemd-security: add some easy wins

We can tighten security by adding the following to
the systemd service file:

* NoNewPrivileges: should never be needed
* DevicePolicy: only basics required
* PrivateDevices: only needs mounted stuff, never devs
* ProtectSystem: no need to change boot
* RestrictAddressFamilies: INET, UNIX only

Signed-off-by: Marc <[email protected]>
Marc 3 years ago
parent
64d1ea2d89
commit
9b6b9cca3d
1 changed files with 5 additions and 0 deletions
Unified View Show Diff Stats
  1. 5 0
      init/sftpgo.service

+ 5 - 0
init/sftpgo.service
View File 

@@ -17,6 +17,11 @@ KillMode=mixed
 
 PrivateTmp=true
 
 PrivateTmp=true
 
 Restart=always
 
 Restart=always
 
 RestartSec=10s
 
 RestartSec=10s
 
+NoNewPrivileges=yes
 
+PrivateDevices=yes
 
+DevicePolicy=closed
 
+ProtectSystem=true
 
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 
 
 
 [Install]
 
 [Install]
 
 WantedBy=multi-user.target
 
 WantedBy=multi-user.target